Serverless Security Workshop

Serverless Security Workshop

ServerlessDays London, July 12th, 2019

In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. We will cover AWS services and features you can leverage to improve the security of a serverless applications in 5 domains: identity & access management, infrastructure, data, code, logging & monitoring.

You'll start by deploying a simple serverless application. However, this application is not very secure, and we need your help to implement measures to protect this serverless API from attackers. By following different modules covering various aspects of security, you will help improve the security of the application.

The content for the workshop is available online:

https://github.com/aws-samples/aws-serverless-security-workshop

7c9b8b368924556d8642bdaed3ded1f5?s=128

Danilo Poccia

July 12, 2019
Tweet

Transcript

  1. 1.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless Security Workshop Danilo Poccia, Principal Evangelist @danilop James Beswick, Senior Developer Advocate @jbesw Heitor Lessa, Specialist Solutions Architect @heitor_lessa Simon Thulbourn, Specialist Solutions Architect @sthulb S e r v e r l e s s D a y s L o n d o n 2 0 1 9 . 0 7 . 1 2
  2. 2.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Agenda • Serverless security – is it different? • Security domains for serverless applications • Workshop scenario • How to secure serverless applications • Hands-on
  3. 3.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Sample architecture for serverless API endpoint Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon Cognito
  4. 4.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Sample architecture for serverless web app Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon CloudFront Amazon S3 Amazon Cognito
  5. 5.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How is serverless security different? Different: • Reduced scope • Ephemeral environment • More events can trigger your AWS Lambda • Old techniques might not be relevant But still… • Need to secure databases, S3 buckets, etc. • Need to secure your code. • Need to use minimum privilege access. • Need to monitor usage and data flow. https://www.protego.io/ebook/
  6. 7.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring
  7. 8.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact
  8. 9.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)
  9. 11.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Scenario: Wild Rydes (www.wildrydes.com)
  10. 12.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd party functionality– unicorn customization Visit beautiful Unicornpolis! Sock image Credit: Freepik from www.flaticon.com
  11. 13.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. List customization options and prices: GET /capes GET /glasses GET /horns GET /socks 3rd party API: Unicorn customization Image Credit: Smashicons, Freepik, from www.flaticon.com johnny_automatic from www.openclipart.org
  12. 14.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd party API: Unicorn customization Create and manage customizations POST /customizations GET /customizations GET /customizations/{id} DELETE /customizations/{id}
  13. 15.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Admin API: register 3rd party partners Register new partners POST /partners
  14. 16.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop architecture – starting point Amazon API Gateway AWS Lambda Amazon RDS 3rd party Not secure!
  15. 17.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Your task: secure the application against attackers! Image Credit: pongsakornred, Freepik from www.flaticon.com
  16. 18.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability
  17. 20.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring
  18. 21.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and access management for serverless applications Access control between services Authenticate & authorize end-users/clients
  19. 22.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop module 1: OAuth Client Credentials Flow Client Authorization server Resource server Client credentials (ClientID + Client Secret) Access token Call protected resource with access token protected resource response Resource server Authorization server Client
  20. 23.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop module 1: add authentication Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party Amazon Cognito Client authentication AWS Lambda (Custom authorizer) Verify access token and scope Amazon DynamoDB (Mapping ClientID -> backend companyID) Download public key to validate token OWASP #2: Broken Authentication OWASP #5: Broken Access Control
  21. 24.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop module 1: add authentication Amazon Cognito Admin App client: • Client ID: ZZZ • Client Secret Company bar app client: • Client ID: YYY • Client Secret Company foo app client: • Client ID: XXX • Client Secret Amazon Aurora Company table ID Name 1 Foo 2 Bar … Mapping table ClientID BackendID XXX 1 YYY 2 Amazon DynamoDB
  22. 25.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring
  23. 26.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing code for serverless applications Input validation Storing secrets • AWS WAF: • XSS Rules • SQL injection rules • AWS Secrets Manager • Systems Manager Dependency vulnerabilities
  24. 27.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 2: Secret Manager Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party AWS Secrets Manager CloudFormation Secret Rotation OWASP #3: Sensitive Data Exposure
  25. 28.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 3: Input Validation Amazon API Gateway 3rd party AWS Lambda { ”unexpectedAttr":"1", } Request body { ”name":”AwesomeUnicorn", "imageUrl": "http://this.jpg", "sock": "1", "horn": "1", "glasses": "1", "cape": "1" } /customizations POST • OWASP #1: Injection • OWASP #8: Insecure Deserialization
  26. 29.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 7: Dependency Vulnerability • Check for vulnerabilities on our dependencies • OWASP Dependency Check: https://www.owasp.org/index.php/O WASP_Dependency_Check • Third party tools • Remove unused dependencies • depcheck: https://www.npmjs.com/package/de pcheck http://npm.anvaka.com/#/view/2d/request • OWASP #9: Using Components with Known Vulnerabilities
  27. 30.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery Infrastructure Data Code Identity & Access Logging & Monitoring Managed backups/ encryption
  28. 31.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing data for serverless applications Data Classification Data backup/Replication Data Encryption at rest Data Flow Data Encryption in transit Data Tokenization
  29. 32.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 4: encryption in transit Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party { host: ”database.host.com", user: "admin", password: ”xxxxxxx", database: "unicorn_customization", ssl: "Amazon RDS" } { host: ”database.host.com", user: "admin", password: ”xxxxxxxxx", database: "unicorn_customization" } OWASP #3: Sensitive Data Exposure
  30. 33.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Infrastructure Data Code Identity & Access Logging & Monitoring
  31. 34.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint
  32. 35.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 5: Usage Plans Amazon API Gateway AWS Lambda Amazon RDS 3rd party AWS Lambda (Custom authorizer) + API key + API key
  33. 36.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 6: WAF AWS Lambda 3rd party Amazon API Gateway AWS WAF Amazon RDS
  34. 37.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring
  35. 38.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Logging & monitoring for serverless applications Logging and tracing Metrics Compliance validation
  36. 39.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Module 8: X-Ray OWASP #10: Insufficient Logging & Monitoring
  37. 40.

    © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability
  38. 41.

    Thank you! © 2019, Amazon Web Services, Inc. or its

    affiliates. All rights reserved. @danilop